CPSC Wades Into the Water of Connected Device Guidance with Its “Framework of Safety for the Internet of Things”

In a statement dated January 31, 2019, the Consumer Product Safety Commission (CPSC) released its Framework of Safety for the Internet of Things[1] (the “IoT Framework”), which Commissioner Elliot Kaye referred to in his introductory statement as “just the beginning of a conversation about injury prevention” in connected devices. Commissioner Kaye described the IoT Framework as a “compilation of considerations for designing safer connected devices” and “technology-neutral best practices to incorporate consumer product safety in the design” of products that make up the Internet of Things (“IoT”).[2]

The IoT Framework describes IoT as an “ecology of everyday objects with electronic connections.”[3] Primarily, the IoT Framework provides a list of considerations for product development, potential concerns, and technology-neutral best practices. The IoT Framework is divided into four sections:
 

1. “Manufacturers’ and Retailers’ Roles and Responsibilities,” which provides generalized considerations for product development, such as promoting “corporate receptivity to external reports of defects, flaws, vulnerabilities, malfunctions, and compromises…”;
2. “Necessary Evaluations for the Development of All IoT Products,” which provides step-by-step general guidelines for conducting safety risk assessments, including such assessments with respect to products, product systems, and component parts;
3. “Potential Countermeasures for Identified Safety Risks,” which provides guidance for how to address risks that are discovered during product assessment, such as including appropriate warnings and instructions and developing “redundant safeguarding” to ensure a system outage won’t result in a safety hazard; and
4. “Additional Safety Considerations for Special Product Types,” which provides basic reminders to assess certain safety risks for specific product classes, including, for example, wearable products that come in contact with skin, products used in baby nurseries, and products used in vehicles.

The IoT Framework does not delve into particular technical recommendations and instead functions as a baseline checklist for product development and testing. In place of more particularized guidance, the IoT Framework includes in Appendix A and B links to more detailed and technical guidance documents published by other public and private organizations such as the National Institute of Standards and Technology (NIST), the Organisation for Economic Co-operation and Development (OECD), and the Federal Trade Commission (FTC).

CPSC recently acknowledged that the “growth of IoT-related products is a challenge” for all of its stakeholders, and those stakeholders “must work collaboratively to develop a framework for best practices.”[4] The IoT Framework appears to be the culmination of some of that work. In March 2018, CPSC solicited written comments from stakeholders and announced a public hearing on IoT and consumer product hazards, seeking “information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products” (the “Notice of Hearing”).[5] 

At the resulting hearing on May 16, 2018, CPSC convened three panels of four panelists each, hearing from consumer advocacy groups, manufacturing associations, standards organizations, and other interested parties.[6] The panelists identified wide-ranging hazards, from common physical hazards associated with electronic products such as contact burns to hazards unique to connected devices such as the ability of predatory hackers to monitor the location of children. They also shared their visions for addressing the safety concerns of IoT moving forward. Most panelists acknowledged the need for the convening of industry working groups, continued reliance on informal guidance from leaders in network security, and development of voluntary or mandatory standards.    While not expressly addressed in the text, the IoT Framework appears to incorporate some of the ideas and information generated by the May 2018 hearing.[7] 

IoT has been an area of focus at CPSC over the last few years as internet-connected products have increased in popularity. The CPSC published a Staff Report in January 2017, “Potential Hazards Associated with Emerging and Future Technologies,” that briefly addressed potential safety hazards unique to connected devices as part of its overview of the dangers of emerging technologies generally.[8]In 2018, the focus intensified with CPSC’s solicitation of feedback from the industry. 

Stakeholders who have been following CPSC’s progress on this topic may note that the IoT Framework is not intended to address cybersecurity or data privacy. This is a recurring theme in CPSC communications on IoT. In the Notice of Hearing, CPSC admonished presenters to stay within the realm of product safety, stating “this hearing will not address personal data security or privacy implications of IoT devices.”[9] The panelists at the hearing, however, generally took the position that consumer product safety could not be addressed separately from data security and privacy with respect to IoT products.[10] The FTC’s Bureau of Consumer Protection (BCP) also submitted written comments in response to the Notice, opining that “security risks associated with IoT devices may implicate broader safety concerns, not just privacy,” and sharing its “expertise in promoting IoT device security” to make several recommendations to CPSC.[11] Given this feedback, CPSC acknowledges in its IoT Framework the natural intersection of data privacy and product safety while continuing to narrow the focus on the true safety aspects: Indeed, the IoT Framework’s best practices themselves acknowledge the need to address data security to prevent safety hazards. In several instances in the IoT Framework, CPSC advises the developer to “[a]ddress information security and privacy” in the development of the product, with reliance on previously developed industry guidance from other sources. The IoT Framework also provides some specific data and security recommendations for particular end uses, such as:
 

• Implementing parental controls when connected devices will be accessed by children;
• Providing adequate “transparency in data collection, data sharing, and data use so that consumers can make informed decisions about their own data and any potential risks that may arise from the repurposing of that data”; and
• Addressing vulnerabilities that could lead to potential criminalization and weaponization of connected systems (such as nursery products or alarm systems) or inherently dangerous products (such as a connected stove).

Industry stakeholders will again take on this inherent overlap at the annual meeting of the International Consumer Product Health and Safety Organization this month in Washington, D.C.[13] The tutorial session, “United Interests, Separate Paths: The Intersection of Product Safety and Privacy in an Interconnected World,” will bring together a panel of experienced practitioners in the consumer product safety and data privacy and security fields to discuss the range of solutions to address the unique risks facing development of connected products.[14]

Manufacturers and developers of connected consumer products, as well as manufacturers of consumer products who are considering connecting their products to the internet, should use this IoT Framework as a basic risk assessment outline. A more precise road map should be developed for each product with a team of skilled professionals familiar with more technical industry guidance and with pragmatic IoT experience, especially where a manufacturer has no prior experience with software development, data, or designing products to secure data.

Given that Commissioner Kaye has called this the “beginning of a conversation” about ensuring the safety of connected devices, the industry will need to stay alert to see whether additional guidelines or standards will emerge from the ongoing discussion.

Meghann Supino is a partner at Ice Miller LLP and a member of the Firm’s Internet of Things Industry Group. Meghann focuses her practice on advising clients of their regulatory obligations to federal and state agencies, with a particular emphasis on compliance with laws and regulations administered by the CPSC. In the IoT space, Meghann helps clients understand how existing regulatory schemes and developing guidance and standards must shape “safety by design” of their products. Meghann may be reached at meghann.supino@icemiller.com or 317-236-2107, or Judy Okenfuss, Chair of the Internet of Things Industry Group, can be reached at judy.okenfuss@icemiller.com or 317-236-2115. For additional IoT information, please visit Ice Miller’s IoT Resource Center.